Interesting article in NewScientist speaking towards the challenges of building a crash proof internet. Bennett Daviss provides accurate information regarding the challenges of the internet, and how it has become a mission critical part of our lives – personal and professional. The Internet is not guaranteed to be up and unless conscious effort is taken to ensure that your business’ packets are flowing it is likely a random event will cause a disruption of at least one hour if not many hours. RackSpace’s operational challenges the other day highlighted this fact.
The article has a nice breakdown on the threats and highlights a specific solution being revamping the routers. In order to achieve this ‘revamp’ it is necessary to deploy new and emerging concepts onto in-production devices without causing an interruption has led to the need for a separate test bed. The concept of building a separate internet for testing massive firmware upgrades and innovative new approaches is underway with GENI, and creates a great opportunity to building in security and operational integrity. The technology of OpenFlow, designed to slice up a router to enable researchers access to devices to test ideas without requiring entire new devices or introducing downtime, does cause me to pause and consider the possible inherent risks:
“OpenFlow program can be added to almost any router, where it acts like a remote control for the proprietary algorithms and hardware inside.”
This project is highlighted in the article and does have a given amount of inherent risk – introducing such an access vector to core internet routers may create greater interruptions initially then are prevented. Careful consideration should always be taken when adding features to systems that are inherently single tasked (this is not solely due to the vulnerabilities that may be introduced, but to the increasing degree of complexity added as a result).
Complexity has proven time and again to be the greatest threat to technology, so any increase should be done consciously and expertly to ensure that the entire control environment reflects these changes.
Creating a crashproof internet is an important effort (especially considering the impacts of Michael Jackson on social networking sites and Twitter with Iranian elections), but one must remember the internet is a service provider and as such contingency plans must be devised. Separate network connections, satellite, and off-the-internet (OII) processing must exist. Consider how your business would be affected without the internet; with a loss of half the planet; with a loss of consistency in uptime.
Preparation is great business and a necessary control safeguard advised by numerous regulations.
Best regards,
James DeLuccia IV
Categories: Compliance
Tagged: best practices, Compliance, grid computing, iran, it compliance and controls, oii, pci, regulation, Security, twitter, uptime
Yesterday I presented with Prat Moghe, the founder of Tizor, on the challenges faced by businesses. A broad topic, but we were primarily focused on the database administrators and those charged with the controls in place. While we go into great detail on the difficulties of manually evaluating controls in a checkbox manner, and I highlighted specific concerns on twitter (#nzdc) a more basic harm and cause emerged – most organizations have been approaching audits and controls in the wrong manner.
- First off – consider what is the point of an/the audit? This answer may result in one of two prime responses:
- The point is the Federal government and our industry cohorts don’t trust how we’ll do business, so we have to demonstrate particular safeguards and operating integrity base points to keep our operating license.
- The second maybe, management is overseeing a massively complex organism, and only through third party verification and evaluation shall we know what in the world is right / wrong / or a complete waste.
Now both responses are right and there is nothing wrong with being more polar on any of these points, but there is a severe cost. Taking an audit as a checkbox approach means that the INTENT is not being satisfied (The classic Compliance does not equal Security is a prime example), and one should not be passing such audits – but that is not the focus of this post. Furthermore, conducting an audit in a manner where one simply responds and ties loosely together the controls for the sake of “the audit” every year translates to a complete loss in the possible savings that can be achieved from such events.
There is not doubt, audits are time consuming and resource intensive, and it is similar to a High-Stakes test. The difference is when you take a high stakes test and then take it again, you reuse the same information and have learned from the prior experience. Too often organizations do not have those lessons carried forward, because they are treated as one-time events and not integrated.
To be sure – auditors vary in skill, standards stretch the spectrum from prescriptive to principal based, and management / company culture severely impact how these evaluations are viewed and addressed. It is also true that without taking these lessons beyond the hour the audit occurs errors, expense, time, and resources, will forever and continually be lost.
Best Practice Advice:
Consider your audit plan for the year and how they can fit with your IT strategy and IT governance function as a part of the company governance program. Draft a charter that reflects how these audits work toward the companies goals, and how each audit enforces and ENRICHES the business operations.
Thoughts and contributions?
James DeLuccia IV
CIA, CISA, CISM, CISSP, CPISA, CPISM
Check out the webinar I mentioned above here, it shall be archived and viewable at your leisure.
Categories: Compliance
Tagged: audit, best practices, Compliance, database, ffiec, it compliance and controls, IT Controls, onsite audit, pci, PCI DSS, regulatory, Security, sox, tizor, twitter
Proper business practices are a necessity in business, and when dealing with other people’s money it is paramount. The FTC, again, has charged a fine against a business for not doing proper due diligence on new accounts within their operations. ChoicePoint, now owned wholly by Lexis-Nexis, was previously found guilty of such practices in their infamous “breach” where an account was setup and pilfered 100,000s of accounts records.
The latest fine is against a payment provider who did not properly follow its own guidelines for onboarding new merchants. The result was the fraudulent charges against consumers of more than $2.38 million. The business has been ordered by Federal Court to pay $1,779,000 in consumer redress and end the illegal practices.
…the payment processor did not follow its own guidelines for new merchants and did not check addresses, phone numbers, or references the bogus merchant provided. The FTC alleged that the defendants anticipated that the scam would generate high return rates, that they did not request or obtain proof that consumers had authorized debits to their accounts, and that they continued to process charges even after receiving complaints from consumers and banks and unacceptable explanations about unauthorized debits from the merchant. The complaint alleged that more than 70 percent of the merchant’s transactions were returned or refused by the consumers’ banks
What is interesting is – what type of risk management practices existed in the business to let this occur for so long, and what audit efforts were conducted that did not catch these deficiencies in existing controls?
Guidelines and proper business practices are NOT check boxes for the sole purpose of checking them, but to be adhered in a manner that ensures the operational integrity of the business and the fidelity of operations.
A great article on the power of “check lists” is available here at the New Yorker.
Best regards,
James DeLuccia IV
Categories: Compliance · IT Controls · Institute of Internal Auditors · audit · fraud · information security
Tagged: best practices, fines, fraud, ftc, merchant, payment processor, PCI DSS, sas 70
The recent news of RBS WorldPay and Heartland in recent news highlights the importance of quality audit efforts by the firms attesting to the security adherence of each organization. Quality is important, and as every QSA is required to accept liability and indemnify the Card Brands prior to delivering any work an entire business can be at risk. Why is this news now 4 years after the event?
CardSystems is still alive and well in courts these days where the Acquirer (Merrick) that had to cover the costs of the fraudulent charges has filed suit against the Auditor (Savvis) for negligence and lack of due care. Now this is under the original Visa CISP, but can naturally create a precedent for current firms conducting these evaluations. Check out the the news story here and the court case details here.
What does this mean for Auditors / QSA firms? Simple:
- Get it right the first time;
- Have proper engagement documents to protect against such cases;
- Maintain good documentation, and again – do it right.
- Go to the professionals – the Accounting Auditors / Internal Auditors ; Institute of Internal Auditors, there are great workpaper guidances and quality methodologies that are 100s of years old and carefully maintained.
This court case highlights the importance of diligent work and careful quality review. Ideally the 2009 Quality Check process will capture deficiences in the process early before breaches happen.
What does this mean for Businesses relying on these audits:
- Carefully consider the points I raised on hiring a QSA
- Check out Siva’s post on vetting a QSA
- You get what you pay for…
- These audits are VALIDATIONS and not exams – it is in everyone’s interest to identify; mitigate; protect and maintain
A nice write up at Wired on this brewing activity by Kim Zetter.
Thoughts on how this will affect the landscape?
James DeLuccia IV
Categories: Compliance
Tagged: acquirer, audits, best practices, court, fines, merrick, pci, penalties, savvis, Security
)
